AWS Code Commit Cross Account IAM Roles

0
votes

I have two AWS accounts:

DEV:  111111111111
PROD: 999999999999

I created an a code commit repo in the prod account called prodRepo.

What I want to do is allow an ec2 instance on the DEV and PROD account to have read-only access to this repo. So git clone, git pull, etc...

I can do this easily on my PROD account using the following IAM instance profile called codecommit-tester

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "codecommit:BatchGetRepositories",
        "codecommit:Get*",
        "codecommit:GitPull",
        "codecommit:List*"
      ],
      "Resource": "arn:aws:codecommit:us-east-1:999999999999:prodRepo"
    }
  ]
}

The Trust Relationship policy is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
}

Then I use the aws credentials helpers in the git config to perform read-only git operations without having to store credentials on my machine (it gets the credentials for code commit from the instance metadata).

$ cat ~/.gitconfig
[credential]
    helper = !aws codecommit credential-helper $@
    UseHttpPath = true

The problem I am having is creating an the IAM policy/role on the DEV account to do the same thing as the PROD account. Here is what I tried.

I edited the Trust Relationship on the PROD account to trust the DEV account:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": "sts:AssumeRole"
    }
}

Now I think this means the DEV account can assume this role. On the DEV account I created these IAM policies attached to a role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codecommit:BatchGetRepositories",
                "codecommit:Get*",
                "codecommit:GitPull",
                "codecommit:List*"
            ],
            "Resource": "arn:aws:codecommit:us-east-1:999999999999:prodRepo"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::999999999999:role/codecommit-tester"
    }
}

I use the credentials helper on the DEV account after launching an ec2 instance using this IAM instance profile and I get this error when performing a git clone:

$ git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/prodRepo
Cloning into 'prodRepo'...
fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/prodRepo/': The requested URL returned error: 403

So what did I miss in the IAM roles/policies on the DEV to make this work?

1
amazon-web-servicesamazon-ec2amazon-iamaws-codecommit

1 Answers

1
votes

I think you don't need iam role in dev which you mention (On the DEV account I created these IAM policies attached to a role) .... have not tried with instance cross account assume role.. but if you can create new IAM role in prod account with

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::999999999999:role/codecommit-tester"
    }
]
}

and trust relation would be something like

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111111111111:root"
  },
  "Action": "sts:AssumeRole"
}

and just assume new IAM ARN in dev ec2 role.